Biggest DDoS ever aimed at Cloudflare’s content delivery network

Network Time Protocol attack reached 400Gbps.

A distributed denial-of-service attack targeting a client of the content delivery network Cloudflare reached new highs in malicious traffic today, striking at the company’s data centers in Europe and the US. According to a Twitter post by Cloudflare CEO Matthew Prince, the full volume of the attack exceeded 400 gigabits per second—making it the largest DDoS attack ever recorded.

The attack used Network Time Protocol (NTP) reflection, the same technique used in recent attacks against gaming sites by a group called DERP Trolling. NTP is used to synchronize the time settings on computers across the Internet. The attack made fraudulent synchronization requests to NTP servers that caused them to send a flood of replies back at the targeted sites.

Reflection attacks have been a mainstay of DDoS tools and botnets, but the use of NTP in such attacks is relatively new. Last year’s attack on Spamhaus, which previously set the record for the largest DDoS ever, used a Domain Name Service (DNS) protocol attack—a much more common approach that takes advantage of the Internet’s directory service, forging requests for DNS lookups from the intended target and sending them to scores of open DNS servers. The size of the traffic directed back at the target from these requests far exceeds the size of the requests sent to the DNS servers, which is why the technique is often called a DNS amplification attack.

By comparison, NTP sends much smaller amounts of data in response to requests. But as efforts have been made to prevent DNS amplification attacks by reducing the number of open DNS servers available to attackers, there are over 3,000 active public time servers configured to reply to NTP requests, as well as many more time servers on smaller networks that may be open to outside requests.

Further, a recently discovered vulnerability in NTP allows for amplification attacks similar to those previously performed with DNS, exploiting a command in the protocol called “monlist” that sends the IP addresses of the last 600 devices connected to the server. These requests, sent via a packet with the forged address of the victim, send a torrent of data back at the targeted site. Like DNS reflection attacks, NTP attacks can be diminished in effectiveness by network operators if they configure firewalls to block external requests.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.